Over the past week we have published a detailed HOWTO on the signer migration process we have gone through last month on our DNSSEC blog. The full process, including a worksheet (also available separately) to help you during the process, is described in the document that you can download by clicking on the image on […]

The purpose of this step is to remove the DNSKEY record for the active ZSK from the source signer from the input zone and to resume automated key management. Once this step has taken place, the migration is complete. The situation at the end of this step is shown in the diagram below: To reach […]

The purpose of this step is to completely switch over to the destination signer. At the end of this step, continuous zone signing has been restarted and will only take place on the destination signer; zone publication will have been resumed and will use the output from the destination signer. The situation at the end […]

The purpose of this step is to switch the DS for the zone to point to the KSK of the destination signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Contact the parent zone (registry) to submit the […]

The purpose of this step is to create a fully cross-signed zone that includes the key set from the source as well as the destination signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Edit the output (i.e. […]

The purpose of this step is to introduce the DNSKEY records for the active keys from the destination signer on the source signer. The situation at the end of this step is shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Stop the signer software on the source […]

The purpose of this step is to introduce the DNSKEY records for the active keys from the source signer on the destination signer and to get an RRSIG signature for the new DNSKEY set this will result in using the active keys on the destination signer. The end situation of this step is shown in […]

The purpose of this step is to configure the destination signer and to transition it to the situation as shown in the diagram below: To reach this situation, the following sub-steps need to be taken: Configure the zone to be migrated on the new signer Launch automated key management on the new signer but do […]

The purpose of this step is to clean up the source signer and to transition it to the situation shown in the image below: To reach this state, the following sub-steps need to be taken: Stop automated uploads of the input zone to the destination signer Stop active key management (when using OpenDNSSEC this means […]

The diagram above shows the starting situation on the source signer. The starting situation shown is a typical snapshot of the state of a signer that uses the “ZSK pre-publication” rollover strategy in which a ZSK is pre-published before it is made active and in which old signatures are gradually rolled to the new key […]